From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1164488AbdDXDba (ORCPT <rfc822;w@1wt.eu>);
        Sun, 23 Apr 2017 23:31:30 -0400
Received: from zeniv.linux.org.uk ([195.92.253.2]:50726 "EHLO
        ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1163308AbdDXDbW (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 23 Apr 2017 23:31:22 -0400
Date: Mon, 24 Apr 2017 04:31:20 +0100
From: Al Viro <viro@ZenIV.linux.org.uk>
To: Guenter Roeck <linux@roeck-us.net>
Cc: linux-kernel@vger.kernel.org, Richard Kuo <rkuo@codeaurora.org>,
        Ley Foon Tan <lftan@altera.com>
Subject: Re: Build failure in -next due to 'hexagon: switch to RAW_COPY_USER'
Message-ID: <20170424033120.GV29622@ZenIV.linux.org.uk>
References: <20170424003545.GC1549@roeck-us.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20170424003545.GC1549@roeck-us.net>
User-Agent: Mutt/1.7.1 (2016-10-04)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sun, Apr 23, 2017 at 05:35:45PM -0700, Guenter Roeck wrote:
> hexagon:defconfig fails to build in -next with the following build error.
> 
> 
> In file included from include/linux/uaccess.h:13:0,
>                  from include/linux/poll.h:11,
>                  from include/linux/ring_buffer.h:7,
>                  from include/linux/trace_events.h:5,
>                  from include/trace/syscall.h:6,
>                  from include/linux/syscalls.h:82,
>                  from init/main.c:20:
> arch/hexagon/include/asm/uaccess.h: In function 'hexagon_strncpy_from_user':
> arch/hexagon/include/asm/uaccess.h:100:3: error: implicit declaration of function 'copy_from_user' [-Werror=implicit-function-declaration]
> In file included from include/linux/poll.h:11:0,
>                  from include/linux/ring_buffer.h:7,
>                  from include/linux/trace_events.h:5,
>                  from include/trace/syscall.h:6,
>                  from include/linux/syscalls.h:82,
>                  from init/main.c:20:
> include/linux/uaccess.h: At top level:
> include/linux/uaccess.h:145:1: error: conflicting types for 'copy_from_user'
> arch/hexagon/include/asm/uaccess.h:100:3: note: previous implicit declaration of 'copy_from_user' was here

Hmm...  FWIW, this
static inline long hexagon_strncpy_from_user(char *dst, const char __user *src,
                                             long n)
{
        long res = __strnlen_user(src, n);

        if (unlikely(!res))
                return -EFAULT;

        if (res > n) {
                copy_from_user(dst, src, n);
                return n;
        } else {
                copy_from_user(dst, src, res);
                return res-1;
        }
}
is bloody wrong.  Think what happens if in getname_flags() we have
__strnlen_user(filename, EMBEDDED_NAME_MAX) return 2.  We call
copy_from_user(kname, filename, 2) and return 1.  For caller it means
"one-character string, NUL-terminated", but there's no warranty that 
the second byte copied had been NUL.  And the destination was *NOT*
zero-filled, so there's nothing to guarantee us any zero bytes until
the end of allocated area.

If strncpy_from_user(dst, src, n) returns a number less than n, the result
must be NUL-terminated.  Looking through other architectures, nios2 appears
to be vulnerable to the same problem.  I hadn't finished looking
(xtensa, h8300 and score left to check), but the rest appears to be OK...